On Fri, Mar 14, 2014 at 5:06 PM, Wayne E Bouchard <w...@typo.org> wrote:
> Have we ascertained if there is a typical configuration adjustment > that can be made to reduce or eliminate the likelihood of impact? > I think your best tactic is: Provide specified DNS resolver cache servers. Don't use CPEs for DNS forwarders. The trouble is.... a CPE's management/locally-bound IP address is in many cases... often the same IP address that is a NAT address shared with user traffic; instead of a dedicated separate IP address that traffic can be managed and security controlled. Providing you ensure that the CPE's IP bound address is not overloaded or shared with user traffic ---- you might try firewalling destination port 53 to the CPE, except from the proper upstream DNS resolvers, since nothing else should be "replying" to a DNS request made by the CPE. Look into whether the CPE can use a different, lesser-used UDP port than 53 to forward DNS requests to; use device firewall rules or upstream ACLs to limit which source IP addresses can talk to the service on the CPE's IP. To ascertain effectiveness for a specific CPE, you would need to run a sample exploit with a before and after test. > (From the description it sounds as though this is not possible but it > doesn't hurt to ask.) > -- -JH
